ash_policy_authorizer v0.15.0 AshPolicyAuthorizer.Check behaviour View Source

A behaviour for declaring checks, which can be used to easily construct authorization rules.

If a check can be expressed simply as a function of the actor, or the context of the request, see AshPolicyAuthorizer.SimpleCheck for an easy way to write that check. If a check can be expressed simply with a filter statement, see AshPolicyAuthorizer.FilterCheck for an easy way to write that check.

Link to this section Summary

Callbacks

An optional callback, that allows the check to work with policies set to access_type :filter

An optional callback, hat allows the check to work with policies set to access_type :runtime

Describe the check in human readable format, given the options

Strict checks should be cheap, and should never result in external calls (like database or api)

The type fo the check

Link to this section Types

Specs

Specs

check_type() :: :simple | :filter | :manual

Specs

options() :: Keyword.t()

Link to this section Functions

Link to this function

defines_auto_filter?(module)

View Source

Link to this section Callbacks

Link to this callback

auto_filter(struct, authorizer, options)

View Source (optional)

Specs

auto_filter(struct(), authorizer(), options()) :: Keyword.t()

An optional callback, that allows the check to work with policies set to access_type :filter

Return a keyword list filter that will be applied to the query being made, and will scope the results to match the rule

Link to this callback

check(struct, list, map, options)

View Source (optional)

Specs

check(struct(), [Ash.Resource.record()], map(), options()) ::
  {:ok, [Ash.Resource.record()] | boolean()} | {:error, Ash.Error.t()}

An optional callback, hat allows the check to work with policies set to access_type :runtime

Takes a list of records, and returns {:ok, true} if they are all authorized, or {:ok, list} containing the list of records that are authorized. You can also just return the whole list, {:ok, true} is just a shortcut.

Can also return {:error, error} if something goes wrong

Specs

describe(options()) :: String.t()

Describe the check in human readable format, given the options

Link to this callback

strict_check(struct, authorizer, options)

View Source

Specs

strict_check(struct(), authorizer(), options()) :: {:ok, boolean() | :unknown}

Strict checks should be cheap, and should never result in external calls (like database or api)

It should return {:ok, true} if it can tell that the request is authorized, and {:ok, false} if it can tell that it is not. If unsure, it should return {:ok, :unknown}

Specs

type() :: check_type()

The type fo the check

:manual checks must be written by hand as standard check modules :filter checks can use AshPolicyAuthorizer.FilterCheck for simplicity :simple checks can use AshPolicyAuthorizer.SimpleCheck for simplicity